We are trying to invoke an AWS Lambda function from a Genesys Cloud Architect flow using a Data Action. The goal is to send some call metadata to our backend for processing. I have the Lambda function deployed and it works fine when I test it manually in the AWS console.
The issue is when Architect calls it. I get a 403 Forbidden error with the message “InvalidSignature”. This usually means the AWS signature calculation is wrong or the credentials don’t have permission.
Here is the JSON configuration I am using for the Data Action in Architect:
{
"request": {
"method": "POST",
"url": "https://lambda.us-east-1.amazonaws.com/2015-03-31/function/my-function-name/invocations",
"headers": {
"Content-Type": "application/json",
"Authorization": "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20231027/us-east-1/lambda/aws4_request, SignedHeaders=content-type;host, Signature=..."
},
"body": "{\"phoneNumber\": \"{{call.phoneNumber}}\"}"
}
}
I am generating the Authorization header using the AWS Signature Version 4 process in a previous scripting step. The code for signing looks correct to me. I have double-checked the timestamp and the region.
The IAM role attached to the user making the API call has lambda:InvokeFunction permission. But I am wondering if the Trust Policy on the IAM role is the problem. The Lambda function itself doesn’t have an IAM role, it uses the execution role. But the caller needs permission to invoke it.
Is there a specific policy statement needed for the Genesys Cloud integration user to call Lambda? Or is the signature calculation failing because of the way Architect handles the request body? I tried sending an empty body and it still failed.
Also, the documentation says to use the POST method. I am using that. But maybe the X-Amz-Target header is missing? I tried adding it but it didn’t help.
Any ideas on what I am missing here? The error is very generic.